Plastic Surgery Associates of South Dakota Resolution Agreement and Corrective Action Plan

RESOLUTION AGREEMENT

I.  Recitals

1. Parties. The Parties to this Resolution Agreement (“Agreement”) are:
   1. The United States Department of Health and Human Services, Office for Civil Rights (“HHS”), which enforces the Federal standards that govern the privacy of individually identifiable health information (45 Code of Federal Regulations (“C.F.R.”) Part 160 and Subparts A and E of Part 164, the “Privacy Rule”), the Federal standards that govern the security of electronic individually identifiable health information 45 C.F.R. Part 160 and Subparts A and C of Part 164, the “Security Rule”), and the Federal standards for notification in the case of breach of unsecured protected health information (“PHI”) (45 C.F.R. Part 160 and Subparts A and D of 45 C.F.R. Part 164, the “Breach Notification Rule”). HHS has the authority to conduct compliance reviews and investigations of complaints alleging violations of the Privacy, Security, and Breach Notification Rules (“the HIPAA Rules”) by covered entities and business associates, and covered entities and business associates must cooperate with HHS compliance reviews and investigations. See 45 C.F.R. §§ 160.306(c), 160.308, and 160.310(b).
   2. Plastic Surgery Associates of South Dakota, Ltd. (“PSASD”) is a covered entity, as defined at 45 C.F.R. § 160.103, and therefore is required to comply with the HIPAA Rules.
   3. HHS and PSASD shall together be referred to herein as the “Parties.”
2. No Admission. This Agreement is not an admission of liability by PSASD.
3. No Concession. This Agreement is not a concession by HHS that PSASD is not in violation of the HIPAA Rules and not liable for civil money penalties (“CMPs”).
4. Intention of Parties to Effect Resolution. This Agreement is intended to resolve OCR 
   Transaction Complaint Number 17-277453 and any potential violations of the HIPAA Rules related to the Covered Conduct specified in paragraph I.5 of this Agreement. In consideration of the Parties’ interest in avoiding uncertainty, burden, and expense of further investigation and formal proceedings, the Parties agree to resolve this matter according to the Terms and Conditions below.
5. Factual Background and Covered Conduct.
   
   OCR initiated an investigation of PSASD following the receipt of PSASD’s breach report on July 27, 2017. PSASD’s breach report stated that it discovered, on February 12, 2017, that nine workstations and two servers were infected with ransomware, affecting 10,229 individuals’ PHI. The credentials the hacker(s) used to access PSASD’s network were obtained through a brute force attack to PSASD’s remote desktop protocol. After discovering the breach, PSASD was unable to restore the affected servers from backup, and PSASD made two bitcoin ransom payments in the sum of $27,399.97 to the hacker(s) in exchange for decryption keys for its patients’ PHI. OCR’s investigation of PSASD revealed that PSASD demonstrated significant noncompliance with the HIPAA Rules, and the following Covered Conduct occurred:
   1. PSASD failed to implement policies and procedures to prevent, detect, contain, and correct security violations. Specifically, PSASD has failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all its electronic protected health information (“ePHI”). See 45 C.F.R. § 164.308(a)(1)(ii)(A).
   2. PSASD also failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.  See 45 C.F.R. § 164.308(a)(1)(ii)(B).
   3. PSASD failed to establish and implement policies and procedures for regularly reviewing activity on its information systems that contain ePHI.  See 45 C.F.R. § 164.308(a)(1)(ii)(D).
   4. PSASD failed to implement policies and procedures to address security incidents. See 45 C.F.R. § 164.308(a)(6).

II. Terms and Conditions

6. Payment. HHS has agreed to accept, and PSASD has agreed to pay HHS, the amount of $500,000 (“Resolution Amount”). PSASD agrees to pay the Resolution Amount within thirty (30) days of the Effective Date of this Agreement as defined in paragraph II.14 pursuant to written instructions to be provided by HHS.
7. Corrective Action Plan. PSASD has entered into and agrees to comply with the Corrective Action Plan (“CAP”), attached as Appendix A, which is incorporated into this Agreement by reference. If PSASD breaches the CAP and fails to cure the breach as set forth in the CAP, then PSASD will be in breach of this Agreement and HHS will not be subject to the Release set forth in paragraph II.8 of this Agreement.
8. Release by HHS. In consideration and conditioned upon PSASD’s performance of its obligations under this Agreement, HHS releases PSASD from any actions it may have against PSASD under the HIPAA Rules arising out of or related to the Covered Conduct identified in paragraph I.5 of this Agreement. HHS does not release PSASD from, nor waive any rights, obligations, or causes of action other than those arising out of or related to the Covered Conduct and referred to in this paragraph. This release does not extend to actions that may be brought under section 1177 of the Social Security Act, 42 United States Code (“U.S.C.”) § 1320d-6.
9. Agreement by Released Parties. PSASD shall not contest the validity of its obligations to pay, nor the amount of, the Resolution Amount or any other obligations agreed to under this Agreement. PSASD waives all procedural rights granted under Section 1128A of the Social Security Act (42 U.S.C. § 1320a- 7a) and 45 C.F.R. Part 160 Subpart E, and HHS claims collection regulations at 45 C.F.R. Part 30, including, but not limited to, notice, hearing, and appeal with respect to the Resolution Amount.
10. Binding on Successors. This Agreement is binding on PSASD and its successors, heirs, transferees, and assigns.
11. Costs. Each Party to this Agreement shall bear its own legal and other costs incurred in connection with this matter, including the preparation and performance of this Agreement.
12. No Additional Releases. This Agreement is intended to be for the benefit of the Parties only, and by this instrument the Parties do not release any claims against any other person or entity.
13. Effect of Agreement. This Agreement constitutes the complete agreement between the Parties.
    All material representations, understandings, and promises of the Parties are contained in this Agreement. Any modifications to this Agreement shall be set forth in writing and signed by all Parties. 
14. Execution of Agreement and Effective Date. The Agreement shall become effective (i.e., final and binding) upon the date of signing of this Agreement and the CAP by the last signatory (“Effective Date”).
15. Tolling of Statute of Limitations. Pursuant to 42 U.S.C. § 1320a-7a(c)(1), a CMP must be imposed within six years from the date of the occurrence of the violation. To ensure that this six-year period does not expire during the term of this Agreement, PSASD agrees that the time between the Effective Date of this Agreement and the date the Agreement may be terminated by reason of PSASD’s breach plus one year thereafter, will not be included in calculating the six-year statute of limitations applicable to the violations which are the subject of this Agreement. PSASD waives and will not plead any statute of limitations, laches, or similar defenses to any administrative action relating to the Covered Conduct identified in paragraph I.5 that is filed by HHS within the time period set forth above, except to the extent that such defenses would have been available had an administrative action been filed on the Effective Date of this Agreement.
16. Disclosure. HHS places no restriction on the publication of the Agreement.
17. Execution in Counterparts. This Agreement may be executed in counterparts, each of which constitutes an original, and all of which shall constitute one and the same agreement. 
18. Authorizations. The individual(s) signing this Agreement on behalf of PSASD represents and warrants that they are authorized by PSASD to execute this Agreement. The individual(s) signing this Agreement on behalf of HHS represent and warrant that they are signing this Agreement in their official capacities and that they are authorized to execute this Agreement.

For Plastic Surgery Associates of South Dakota, Ltd.

/s/
Dr. James A. Breit, Owner 
Plastic Surgery Associates of South Dakota, Ltd.

Date: 5/3/2024

For the United States Department of Health and Human Services

/s/
Andrea Oliver
Regional Manager, Rocky Mountain Region
Office for Civil Rights

Date: 5/3/2024

Appendix A
CORRECTIVE ACTION PLAN
BETWEEN THE
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES
AND
Plastic Surgery Associates of South dakota, Ltd.

I. Preamble

Plastic Surgery Associates of South Dakota, Ltd. (hereinafter known as “PSASD”) hereby enters into this Corrective Action Plan (“CAP”) with the United States Department of Health and Human Services, Office for Civil Rights (“HHS”). Contemporaneously with this CAP, PSASD is entering into the Resolution Agreement (“Agreement”) with HHS, and this CAP is incorporated by reference into the Agreement as Appendix A. PSASD enters into this CAP as part of consideration for the release set forth in paragraph II.8 of the Agreement. 

II. Contact Persons and Submissions

1. Contact Persons.

   PSASD has identified the following individual as its authorized representative and contact person regarding the implementation of this CAP and for receipt and submission of notifications and reports:

   Dr. James A. Breit, Owner                                                                               
   Plastic Surgery Associates of South Dakota
   4201 South Minnesota Avenue, Suite 112
   Sioux Falls, South Dakota  57105
   Telephone: (605) 335-3349 
   Email:  drbreit@icloud.com

   HHS has identified the following individual as its authorized representative and contact person with whom PSASD is to report information regarding the implementation of this CAP:

   Andrea Oliver, Regional Manager
   U.S. Department of Health and Human Services
   Office for Civil Rights – Rocky Mountain Region 
   1961 Stout Street, Room 08.148
   Denver, Colorado  80294
   Telephone: (303) 844-7915
   Facsimile: (303) 844-2025 
   Email:  Andrea.Oliver@hhs.gov        

   PSASD and HHS agree to promptly notify each other of any changes to the contact persons or other information provided above.
    

2. Proof of Submissions. 
   
   Unless otherwise specified, all notifications and reports required by this CAP may be made by any means, including certified mail, overnight mail, or hand delivery, provided that there is proof that such notification was received. For purposes of this requirement, internal facsimile confirmation sheets do not constitute proof of receipt.

III. Effective Date and Term of CAP

The Effective Date for this CAP shall be calculated in accordance with paragraph II.14 of the Agreement (“Effective Date”). The period for compliance (“Compliance Term”) with the obligations assumed by PSASD under this CAP shall begin on the Effective Date of this CAP and end two (2) years from the Effective Date, unless HHS has notified PSASD under Section VIII hereof of its determination that PSASD breached this CAP. In the event of such notification by HHS under Section VIII hereof, the Compliance Term shall not end until HHS either (1) notifies PSASD that it has determined the breach has been cured or (2) notifies PSASD under Section VIII.D hereof that it will seek imposition of a CMP. After the Compliance Term ends, PSASD shall still be obligated to submit the final Annual Report as required by Section VI and comply with the document retention requirement in Section VII. Nothing in this CAP is intended to eliminate or modify PSASD’s obligation to comply with the documentation retention requirements in 45 Code of Federal Regulations (C.F.R.) §§ 164.316(b) and 164.530(j). 

IV. Time

In computing any period of time prescribed or allowed by this CAP, all days referred to shall be calendar days. The day of the act, event, or default from which the designated period of time begins to run shall not be included. The last day of the period so computed shall be included, unless it is a Saturday, a Sunday, or a legal holiday, in which event the period runs until the end of the next day which is not one of the aforementioned days.

V. Corrective Action Obligations

PSASD agrees to the following:

1. Security Management Process
   1. Risk Analysis
      1. PSASD shall conduct an accurate and thorough Risk Analysis of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI created, received, maintained, or transmitted by PSASD or on its behalf. The Risk Analysis shall incorporate PSASD’s facilities, whether owned or rented, and evaluate the risks to the ePHI on its electronic equipment, data systems, and applications controlled, administered, or owned by PSASD that create, receive, maintain, or transmit ePHI. Prior to conducting the Risk Analysis, PSASD shall submit within thirty (30) days of the Effective Date its intended methodology and scope, including  a complete inventory of all its categories of electronic equipment, data systems, and applications that create, receive, maintain, or transmit ePHI, and then incorporate such inventory into its Risk Analysis. Upon HHS’s approval of the methodology and scope, PSASD shall have ninety (90) days of the Effective Date to submit the Risk Analysis to HHS for review and approval.
      2. Upon receiving HHS’s notice of any required revisions to the Risk Analysis, PSASD shall have sixty (60) days in which to revise its Risk Analysis accordingly, and then shall continue to make such revisions until HHS approves the Risk Analysis.
      3. Thereafter, PSASD shall review its Risk Analysis annually (or more frequently, if appropriate) and shall promptly conduct an evaluation, and update the Risk Analysis, as necessary, in response to environmental or operational changes affecting the security of ePHI throughout PSASD. Following any updates to its Risk Analysis, PSASD shall assess whether its existing security measures are sufficient to protect its ePHI and revise its Risk Management Plan, policies and procedures, training materials, and implement additional security measures as needed.
   2. Risk Management
      1. Within ninety (90) days of HHS’s final approval of the Risk Analysis conducted pursuant to Section V.A.1 above, PSASD shall provide HHS with a Risk Management Plan that addresses and mitigates the security risks and vulnerabilities identified in the Risk Analysis for HHS’s review and approval. The Risk Management Plan shall include a process and timeline for PSASD implementation, evaluation, and revision of their risk mitigation activities.
      2. Upon receiving notice from HHS specifying any required changes to the Risk Management Plan, PSASD shall have sixty (60) days in which to revise its Risk Management Plan accordingly, and then shall continue to make such revisions until HHS approves the Risk Management Plan.
      3. PSASD shall promptly implement the Risk Management Plan upon HHS’s final approval in accordance with PSASD’s applicable administrative procedures.
2. Policies and Procedures
   1. Security Management Process
      1. PSASD shall, to the extent necessary, revise its current policies and procedures relating to Risk Analysis and the implementation of the Risk Management Plan, as required by Sections V.A.1 and V.A.2, respectively. Further, PSASD shall create and implement policies and procedures to regularly review records of information system activity, such as audit logs, access reports and security incident tracking reports. Such policies and procedures must comply with the HIPAA Rules. 45 C.F.R. § 164.316(a).
      2. Within thirty (30) days of the Effective Date for this CAP, PSASD shall submit the policies and procedures required by Section V.B.1.a to HHS for review and approval. Upon receiving any such notice of required revisions to such policies and procedures from HHS, PSASD shall have thirty (30) days in which to revise the policies and procedures accordingly, and submit the revised policies and procedures to HHS for review and approval. The submission and review process shall continue until HHS approves such policies and procedures.
      3. Within thirty (30) days of HHS’s approval of the revised policies and procedures required by Section V.B.1.a, PSASD shall finalize and officially adopt them in accordance with its applicable administrative procedures.
   2. Security Incident Procedures
      1. PSASD shall create and implement policies and procedures to address security incidents, including a process for: identifying and responding to known security incidents; mitigating, to the extent practicable, harmful effects of known security incidents; and documenting (in writing) security incidents and their outcomes.
      2. Within thirty (30) days of the Effective Date for this CAP, PSASD shall submit the policies and procedures required by Section V.B.2.a to HHS for review and approval. Upon receiving any such notice of required revisions to such policies and procedures from HHS, PSASD shall have thirty (30) days in which to revise the policies and procedures accordingly, and submit the revised policies and procedures to HHS for review and approval. The submission and review process shall continue until HHS approves such policies and procedures.
      3. Within thirty (30) days of HHS’s approval of the revised policies and procedures required by Section V.B.2.a, PSASD shall finalize and officially adopt them in accordance with its applicable administrative procedures.
   3. Data Backups
      1. PSASD shall create and implement policies and procedures to establish and implement procedures to create and maintain retrievable exact copies of ePHI, including a process to: test the recoverability of backups on a regular basis to ensure that a retrievable exact copy will be available; create and maintain multiple copies of encrypted backups; and securely store backups in differing locations.
      2. Within thirty (30) days of the Effective Date for this CAP, PSASD shall submit the policies and procedures required by Section V.B.3.a to HHS for review and approval. Upon receiving any such notice of required revisions to such policies and procedures from HHS, PSASD shall have thirty (30) days in which to revise the policies and procedures accordingly, and submit the revised policies and procedures to HHS for review and approval. The submission and review process shall continue until HHS approves such policies and procedures.
      3. Within thirty (30) days of HHS’s approval of the revised policies and procedures required by Section V.B.3.a, PSASD shall finalize and officially adopt them in accordance with its applicable administrative procedures.
   4. Person or Entity Authentication
      1. PSASD shall create and implement policies and procedures to verify that a person or entity seeking access to ePHI is the one claimed. 
      2. Within thirty (30) days of the Effective Date for this CAP, PSASD shall submit the policies and procedures required by Section V.B.4.a to HHS for review and approval. Upon receiving any such notice of required revisions to such policies and procedures from HHS, PSASD shall have thirty (30) days in which to revise the policies and procedures accordingly, and submit the revised policies and procedures to HHS for review and approval. The submission and review process shall continue until HHS approves such policies and procedures.
      3. Within thirty (30) days of HHS’s approval of the revised policies and procedures required by Section V.B.4.a, PSASD shall finalize and officially adopt them in accordance with its applicable administrative procedures.
   5. Access Controls
      1. PSASD shall create and implement policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights.
      2. Within thirty (30) days of the Effective Date for this CAP, PSASD shall submit the policies and procedures required by Section V.B.5.a to HHS for review and approval. Upon receiving any such notice of required revisions to such policies and procedures from HHS, PSASD shall have thirty (30) days in which to revise the policies and procedures accordingly, and submit the revised policies and procedures to HHS for review and approval. The submission and review process shall continue until HHS approves such policies and procedures.
      3. Within thirty (30) days of HHS’s approval of the revised policies and procedures required by Section V.B.5.a, PSASD shall finalize and officially adopt them in accordance with its applicable administrative procedures.
   6. Uses and Disclosures of PHI
      1. PSASD shall revise its policies and procedures relating to uses and disclosures of PHI to ensure that its workforce members understand: 1) the circumstances under which PSASD may use and disclose PHI; 2) how to identify situations that constitute impermissible uses and disclosures of PHI; and 3) how and when to report situations that might constitute impermissible uses and/or disclosures of PHI to PSASD’s Privacy or Security Officer. PSASD’s policies shall also include procedures for effective oversight and supervision of its workforce members to ensure their compliance with the policy. Such policies and procedures must comply with the HIPAA Rules.
      2. Within thirty (30) days of the Effective Date for this CAP, PSASD shall submit the policies and procedures required by Section V.B.6.a to HHS for review and approval. Upon receiving any such notice of required revisions to such policies and procedures from HHS, PSASD shall have thirty (30) days in which to revise the policies and procedures accordingly, and submit the revised policies and procedures to HHS for review and approval. The submission and review process shall continue until HHS approves such policies and procedures.
      3. Within thirty (30) days of HHS’s approval of the revised policies and procedures required by Section V.B.6.a, PSASD shall finalize and officially adopt them in accordance with its applicable administrative procedures. 
   7. Breach Notification
      1. PSASD shall, to the extent necessary, revise its Breach Notification policies and procedures to ensure that its workforce members understand that, following the discovery of a breach of unsecured PHI, PSASD must notify affected individuals without unreasonable delay and in no case later than sixty (60) calendar days after discovery of the breach. In addition, for a breach of unsecured PHI, PSASD must notify the HHS Secretary, and, in certain circumstances, to the media. Such policies and procedures must comply with the HIPAA Breach Notification Rules.
      2. Within thirty (30) days of the Effective Date for this CAP, PSASD shall submit the policies and procedures required by Section V.B.7.a to HHS for review and approval. Upon receiving any such notice of required revisions to such policies and procedures from HHS, PSASD shall have thirty (30) days in which to revise the policies and procedures accordingly, and submit the revised policies and procedures to HHS for review and approval. The submission and review process shall continue until HHS approves such policies and procedures.
      3. Within thirty (30) days of HHS’s approval of the revised policies and procedures required by Section V.B.7.a, PSASD shall finalize and officially adopt them in accordance with its applicable administrative procedures.
3. Training
   1. Within ninety (90) days of HHS’s final approval of PSASD’s revised HIPAA Policies and Procedures required in Section V.B.1 through V.B.7, PSASD shall forward its proposed training materials on its revised policies and procedures for purposes of compliance with Section VI.B.3 below, to HHS for review and approval. PSASD’s training materials shall also include privacy and security awareness training related to: a) breach and security incident reporting; b) protection from malicious software; c) log-in monitoring; and d) password management.
   2. Upon receiving any required revisions to the training materials from HHS, PSASD shall have thirty (30) days in which to revise the training materials, and then submit the revised training materials to HHS for review and approval.
   3. Within sixty (60) days of HHS’s approval of the training materials, PSASD shall ensure that: a) all workforce members who use or disclose PHI have received such training; b) these workforce members will continue to receive such training annually; and c) PSASD will provide each of its new workforce members such training within fifteen (15) days of beginning work at PSASD. Further, PSASD shall obtain and maintain written or electronic training certifications from all persons who are required to attend training under this CAP.
   4. PSASD shall submit an attestation signed by the PSASD CEO to HHS attesting that PSASD is obtaining and maintaining written or electronic training certifications from all persons who are required to attend training under this CAP
   5. PSASD shall review the training materials annually, and, where appropriate, update the training to reflect changes in Federal law or HHS guidance, any issues discovered during audits or reviews, and any other relevant developments.
4. Reportable Events
   1. During the Compliance Term, PSASD shall, upon receiving information that a workforce member may have failed to comply with its policies and procedures addressing the requirements of the HIPAA Rules, promptly investigate the matter. If PSASD, after review and investigation, determines that a workforce member has failed to comply with them, PSASD shall report such events to HHS as provided in Section VI.B. Such violations shall be known as Reportable Events. The report to HHS shall include the following:
      1. A complete description of the event, including the relevant facts, the persons involved, and the applicable provision(s) of PSASD’s Privacy, Security, and Breach Notification policies and procedures.
      2. A description of the actions taken and any further steps PSASD plans to take to address the matter to mitigate any harm, and to prevent it from recurring, including application of any appropriate sanctions against workforce members who failed to comply with the Privacy, Security, and Breach Notification policies and procedures.
   2. If no Reportable Events occur during the Compliance Term, PSASD shall so inform HHS in the Annual Report as specified in Section VI.B below.

VI. Implementation Report and Annual Reports

1. Implementation Report. Within one hundred and twenty (120) days after HHS approves the Risk Management Plan, as specified in Section V.A.2.c above, PSASD shall submit a written report with the documentation described below to HHS for review and approval (“Implementation Report”). The Implementation Report shall include:
   1. An attestation signed by the PSASD CEO attesting that it is implementing the Risk Management Plan, and documentation indicating the date of implementation.
   2. An attestation signed by the PSASD CEO attesting that the policies and procedures in Section V.B are being implemented, and the date of implementation.
   3. An attestation signed by the PSASD CEO attesting that all required members of the workforce have participated in the training required in Section V.C.
   4. An attestation signed by the PSASD CEO stating that she/he has reviewed the Implementation Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful.
2. Annual Reports. The one-year period after the Effective Date and each subsequent one-year period during the course of the Compliance Term shall be known as a “Reporting Period.” Within sixty (60) days after the close of each corresponding Reporting Period, PSASD shall submit a report or reports to HHS regarding PSASD’s compliance with this CAP for each corresponding Reporting Period (“Annual Report”). The Annual Report shall include:
   1. A copy of the schedule, topic outline, and training materials for the training programs provided during the Reporting Period that is the subject of the Annual Report;
   2. An attestation signed by the PSASD CEO attesting that PSASD is obtaining and maintaining written or electronic training certifications from all persons who are required to attend training under this CAP;
   3. An attestation signed by  the PSASD CEO attesting that any revision(s) to the policies and procedures required by Section V.B were finalized and adopted within thirty (30) days of HHS’s approval of the revision(s), which shall include a statement affirming that PSASD distributed the revised policies and procedures to all appropriate members of PSASD’s workforce within sixty (60) days of HHS’s approval of the revision(s); and
   4. A summary of Reportable Events, if any, the status of any corrective and preventative action(s) relating to all such Reportable Events, or an attestation signed by the PSASD CEO stating that no Reportable Events occurred during the Compliance Term.

VII. Document Retention

PSASD shall maintain for inspection and copying, and shall provide to HHS, upon request, all documents and records relating to compliance with this CAP for six (6) years from the Effective Date.

VIII. Breach Provisions

PSASD is expected to fully and timely comply with all provisions contained in this CAP.

1. Timely Written Requests for Extensions.
2. Notice of Breach of this CAP and Intent to Impose Civil Money Penalty.
3. PSASD’s Response.
   1. PSASD is in compliance with the obligations of the CAP that HHS cited as the basis for the breach;
   2. The alleged breach has been cured; or
   3. The alleged breach cannot be cured within the thirty (30) day period, but that: (a) PSASD has begun to take action to cure the breach; (b) PSASD is pursuing such action with due diligence; and (c) PSASD has provided to HHS a reasonable timetable for curing the breach.
4. Imposition of CMP
   
    

For Plastic Surgery Associates of South Dakota, Ltd.

/s/
Dr. James A. Breit, Owner 
Plastic Surgery Associates of South Dakota, Ltd.

Date: 5/3/2024

For U.S. Department of Health and Human Services

/s/
Andrea Oliver
Regional Manager, Rocky Mountain Region
Office for Civil Rights

Date: 5/3/2024